Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 08:52

General

  • Target

    a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe

  • Size

    2.2MB

  • MD5

    a8d30948ead7b16c235f9e8eb6848241

  • SHA1

    9afba754a8f4e041a74a8abbd98a7aa2f0484237

  • SHA256

    0ad04d3ff44f188fe417201848835923380b0a205d08c24638999c05d86cd9f8

  • SHA512

    f51937d65bec063702c2b056e80be6bdb76ec2b0d07223edab2bc45cbee03e48957e2ea081374a6935b00a6b2842ad088242dc9d8e74b525511e76d9b598a6cd

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZh:0UzeyQMS4DqodCnoe+iitjWwwV

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 52 IoCs
  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 54 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2808
      • C:\Users\Admin\AppData\Local\Temp\a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2788
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:2472
          • \??\c:\windows\system\explorer.exe
            "c:\windows\system\explorer.exe"
            4⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1732
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:1456
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                  PID:2180
                  • \??\c:\windows\system\explorer.exe
                    c:\windows\system\explorer.exe
                    7⤵
                      PID:1936
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  PID:1820
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                      PID:1500
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    PID:2092
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                        PID:3236
                    • \??\c:\windows\system\spoolsv.exe
                      c:\windows\system\spoolsv.exe SE
                      5⤵
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      PID:2004
                      • \??\c:\windows\system\spoolsv.exe
                        "c:\windows\system\spoolsv.exe"
                        6⤵
                          PID:3204
                      • \??\c:\windows\system\spoolsv.exe
                        c:\windows\system\spoolsv.exe SE
                        5⤵
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        PID:2828
                        • \??\c:\windows\system\spoolsv.exe
                          "c:\windows\system\spoolsv.exe"
                          6⤵
                            PID:3832
                            • \??\c:\windows\system\explorer.exe
                              c:\windows\system\explorer.exe
                              7⤵
                                PID:3940
                          • \??\c:\windows\system\spoolsv.exe
                            c:\windows\system\spoolsv.exe SE
                            5⤵
                            • Executes dropped EXE
                            • Drops file in Windows directory
                            PID:1584
                            • \??\c:\windows\system\spoolsv.exe
                              "c:\windows\system\spoolsv.exe"
                              6⤵
                                PID:4024
                            • \??\c:\windows\system\spoolsv.exe
                              c:\windows\system\spoolsv.exe SE
                              5⤵
                              • Executes dropped EXE
                              • Drops file in Windows directory
                              PID:2748
                              • \??\c:\windows\system\spoolsv.exe
                                "c:\windows\system\spoolsv.exe"
                                6⤵
                                  PID:3480
                              • \??\c:\windows\system\spoolsv.exe
                                c:\windows\system\spoolsv.exe SE
                                5⤵
                                • Executes dropped EXE
                                • Drops file in Windows directory
                                PID:1440
                                • \??\c:\windows\system\spoolsv.exe
                                  "c:\windows\system\spoolsv.exe"
                                  6⤵
                                    PID:3916
                                    • \??\c:\windows\system\explorer.exe
                                      c:\windows\system\explorer.exe
                                      7⤵
                                        PID:2964
                                  • \??\c:\windows\system\spoolsv.exe
                                    c:\windows\system\spoolsv.exe SE
                                    5⤵
                                    • Executes dropped EXE
                                    • Drops file in Windows directory
                                    PID:2812
                                    • \??\c:\windows\system\spoolsv.exe
                                      "c:\windows\system\spoolsv.exe"
                                      6⤵
                                        PID:3244
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Executes dropped EXE
                                      • Drops file in Windows directory
                                      PID:1748
                                      • \??\c:\windows\system\spoolsv.exe
                                        "c:\windows\system\spoolsv.exe"
                                        6⤵
                                          PID:2356
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Executes dropped EXE
                                        • Drops file in Windows directory
                                        PID:636
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Executes dropped EXE
                                        • Drops file in Windows directory
                                        PID:1788
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Executes dropped EXE
                                        • Drops file in Windows directory
                                        PID:1756
                                        • \??\c:\windows\system\spoolsv.exe
                                          "c:\windows\system\spoolsv.exe"
                                          6⤵
                                            PID:3928
                                        • \??\c:\windows\system\spoolsv.exe
                                          c:\windows\system\spoolsv.exe SE
                                          5⤵
                                          • Executes dropped EXE
                                          • Drops file in Windows directory
                                          PID:1896
                                        • \??\c:\windows\system\spoolsv.exe
                                          c:\windows\system\spoolsv.exe SE
                                          5⤵
                                          • Executes dropped EXE
                                          • Drops file in Windows directory
                                          PID:2136
                                          • \??\c:\windows\system\spoolsv.exe
                                            "c:\windows\system\spoolsv.exe"
                                            6⤵
                                              PID:3524
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                            • Executes dropped EXE
                                            • Drops file in Windows directory
                                            PID:916
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                            • Executes dropped EXE
                                            • Drops file in Windows directory
                                            PID:2772
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                            • Executes dropped EXE
                                            • Drops file in Windows directory
                                            PID:920
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                            • Executes dropped EXE
                                            • Drops file in Windows directory
                                            PID:2564
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                            • Executes dropped EXE
                                            • Drops file in Windows directory
                                            PID:2072
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                            • Executes dropped EXE
                                            • Drops file in Windows directory
                                            PID:936
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                            • Executes dropped EXE
                                            • Drops file in Windows directory
                                            PID:2312
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                            • Executes dropped EXE
                                            • Drops file in Windows directory
                                            PID:2736
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                            • Executes dropped EXE
                                            • Drops file in Windows directory
                                            PID:1376
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                            • Executes dropped EXE
                                            • Drops file in Windows directory
                                            PID:1992
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                            • Executes dropped EXE
                                            • Drops file in Windows directory
                                            PID:2376
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                            • Executes dropped EXE
                                            • Drops file in Windows directory
                                            PID:684
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                            • Executes dropped EXE
                                            • Drops file in Windows directory
                                            PID:2076
                                            • \??\c:\windows\system\spoolsv.exe
                                              "c:\windows\system\spoolsv.exe"
                                              6⤵
                                                PID:1032
                                            • \??\c:\windows\system\spoolsv.exe
                                              c:\windows\system\spoolsv.exe SE
                                              5⤵
                                              • Executes dropped EXE
                                              • Drops file in Windows directory
                                              PID:2652
                                            • \??\c:\windows\system\spoolsv.exe
                                              c:\windows\system\spoolsv.exe SE
                                              5⤵
                                              • Executes dropped EXE
                                              • Drops file in Windows directory
                                              PID:1148
                                              • \??\c:\windows\system\spoolsv.exe
                                                "c:\windows\system\spoolsv.exe"
                                                6⤵
                                                  PID:3112
                                              • \??\c:\windows\system\spoolsv.exe
                                                c:\windows\system\spoolsv.exe SE
                                                5⤵
                                                • Executes dropped EXE
                                                • Drops file in Windows directory
                                                PID:1984
                                              • \??\c:\windows\system\spoolsv.exe
                                                c:\windows\system\spoolsv.exe SE
                                                5⤵
                                                • Executes dropped EXE
                                                • Drops file in Windows directory
                                                PID:884
                                                • \??\c:\windows\system\spoolsv.exe
                                                  "c:\windows\system\spoolsv.exe"
                                                  6⤵
                                                    PID:3532
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  PID:1040
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  PID:1752
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  PID:2712
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  PID:2196
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  PID:2116
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  PID:1524
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  PID:2404
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  PID:2972
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  PID:768
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  PID:1924
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  PID:2520
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  PID:1512
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  PID:2516
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  PID:1464
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  PID:2844
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  PID:1080
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  PID:2524
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                  • Executes dropped EXE
                                                  PID:2384
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                    PID:1564
                                                  • \??\c:\windows\system\spoolsv.exe
                                                    c:\windows\system\spoolsv.exe SE
                                                    5⤵
                                                      PID:2056
                                                    • \??\c:\windows\system\spoolsv.exe
                                                      c:\windows\system\spoolsv.exe SE
                                                      5⤵
                                                        PID:2296
                                                      • \??\c:\windows\system\spoolsv.exe
                                                        c:\windows\system\spoolsv.exe SE
                                                        5⤵
                                                          PID:2320
                                                        • \??\c:\windows\system\spoolsv.exe
                                                          c:\windows\system\spoolsv.exe SE
                                                          5⤵
                                                            PID:2216
                                                          • \??\c:\windows\system\spoolsv.exe
                                                            c:\windows\system\spoolsv.exe SE
                                                            5⤵
                                                              PID:728
                                                            • \??\c:\windows\system\spoolsv.exe
                                                              c:\windows\system\spoolsv.exe SE
                                                              5⤵
                                                                PID:2796
                                                              • \??\c:\windows\system\spoolsv.exe
                                                                c:\windows\system\spoolsv.exe SE
                                                                5⤵
                                                                  PID:1680
                                                                • \??\c:\windows\system\spoolsv.exe
                                                                  c:\windows\system\spoolsv.exe SE
                                                                  5⤵
                                                                    PID:2308
                                                                  • \??\c:\windows\system\spoolsv.exe
                                                                    c:\windows\system\spoolsv.exe SE
                                                                    5⤵
                                                                      PID:1256
                                                                    • \??\c:\windows\system\spoolsv.exe
                                                                      c:\windows\system\spoolsv.exe SE
                                                                      5⤵
                                                                        PID:804
                                                                      • \??\c:\windows\system\spoolsv.exe
                                                                        c:\windows\system\spoolsv.exe SE
                                                                        5⤵
                                                                          PID:672
                                                                        • \??\c:\windows\system\spoolsv.exe
                                                                          c:\windows\system\spoolsv.exe SE
                                                                          5⤵
                                                                            PID:848
                                                                          • \??\c:\windows\system\spoolsv.exe
                                                                            c:\windows\system\spoolsv.exe SE
                                                                            5⤵
                                                                              PID:2408
                                                                            • \??\c:\windows\system\spoolsv.exe
                                                                              c:\windows\system\spoolsv.exe SE
                                                                              5⤵
                                                                                PID:2784
                                                                                • \??\c:\windows\system\spoolsv.exe
                                                                                  "c:\windows\system\spoolsv.exe"
                                                                                  6⤵
                                                                                    PID:3420
                                                                                • \??\c:\windows\system\spoolsv.exe
                                                                                  c:\windows\system\spoolsv.exe SE
                                                                                  5⤵
                                                                                    PID:1448
                                                                                  • \??\c:\windows\system\spoolsv.exe
                                                                                    c:\windows\system\spoolsv.exe SE
                                                                                    5⤵
                                                                                      PID:3084
                                                                                    • \??\c:\windows\system\spoolsv.exe
                                                                                      c:\windows\system\spoolsv.exe SE
                                                                                      5⤵
                                                                                        PID:3868

                                                                              Network

                                                                              MITRE ATT&CK Matrix ATT&CK v13

                                                                              Persistence

                                                                              Boot or Logon Autostart Execution

                                                                              3
                                                                              T1547

                                                                              Registry Run Keys / Startup Folder

                                                                              2
                                                                              T1547.001

                                                                              Winlogon Helper DLL

                                                                              1
                                                                              T1547.004

                                                                              Privilege Escalation

                                                                              Boot or Logon Autostart Execution

                                                                              3
                                                                              T1547

                                                                              Registry Run Keys / Startup Folder

                                                                              2
                                                                              T1547.001

                                                                              Winlogon Helper DLL

                                                                              1
                                                                              T1547.004

                                                                              Defense Evasion

                                                                              Modify Registry

                                                                              4
                                                                              T1112

                                                                              Hide Artifacts

                                                                              1
                                                                              T1564

                                                                              Hidden Files and Directories

                                                                              1
                                                                              T1564.001

                                                                              Discovery

                                                                              System Information Discovery

                                                                              1
                                                                              T1082

                                                                              Replay Monitor

                                                                              Loading Replay Monitor...

                                                                              Downloads

                                                                              • C:\Windows\Parameters.ini
                                                                                Filesize

                                                                                74B

                                                                                MD5

                                                                                6687785d6a31cdf9a5f80acb3abc459b

                                                                                SHA1

                                                                                1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

                                                                                SHA256

                                                                                3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

                                                                                SHA512

                                                                                5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

                                                                              • C:\Windows\Parameters.ini
                                                                                MD5

                                                                                d41d8cd98f00b204e9800998ecf8427e

                                                                                SHA1

                                                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                SHA256

                                                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                SHA512

                                                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                              • \Windows\system\explorer.exe
                                                                                Filesize

                                                                                2.2MB

                                                                                MD5

                                                                                e3fc1fbda188b239ea14fd6358b230f3

                                                                                SHA1

                                                                                f529dc377b4641e5a232b17497373164534693e7

                                                                                SHA256

                                                                                c584617d046384bbcbbf53d26fe86b4b6bdc17b6a1a541833c413f76d1033dc1

                                                                                SHA512

                                                                                e9c1a293c3837205df146f57f6e5a2ffa24d4546fafccecc74fe0be9b64c3e63e13bfeb333fd7a1b4729a262fb353999c6c890c189604ece68d7fa2efeff150c

                                                                              • \Windows\system\spoolsv.exe
                                                                                Filesize

                                                                                2.2MB

                                                                                MD5

                                                                                d1786f4c52ffd72677b951e07d170ad7

                                                                                SHA1

                                                                                66f4d43def08ef8f2ec05c6dc908ffb059201d23

                                                                                SHA256

                                                                                ba1d6c2878e0cc7a77a0dfa2633675d0c16060a7d3e5bd9fcf208def4154f672

                                                                                SHA512

                                                                                bd6c5de6384acd46f3ff46bff6e2a51f4116a03a90e2892cfbb331dc93e610a544691a5c21af4a5490ab9a3f806b1a7ccfdd53c795adb3fe3adc3ddbce362f9c

                                                                              • memory/636-1618-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/684-2116-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/916-1897-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/920-1904-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/936-1907-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/1148-2119-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/1376-1910-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/1440-1369-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/1456-1194-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/1460-2962-0x0000000000400000-0x000000000043E000-memory.dmp
                                                                                Filesize

                                                                                248KB

                                                                              • memory/1500-2520-0x0000000000400000-0x000000000043E000-memory.dmp
                                                                                Filesize

                                                                                248KB

                                                                              • memory/1584-1367-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/1672-17-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/1672-29-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/1672-19-0x0000000000220000-0x0000000000221000-memory.dmp
                                                                                Filesize

                                                                                4KB

                                                                              • memory/1672-0-0x0000000000220000-0x0000000000221000-memory.dmp
                                                                                Filesize

                                                                                4KB

                                                                              • memory/1732-1193-0x0000000000400000-0x000000000043E000-memory.dmp
                                                                                Filesize

                                                                                248KB

                                                                              • memory/1748-1617-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/1756-1620-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/1788-1619-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/1820-1202-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/1896-1621-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/1992-2114-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/2004-1360-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/2072-1906-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/2076-2117-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/2092-1206-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/2136-1622-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/2180-2589-0x0000000000400000-0x000000000043E000-memory.dmp
                                                                                Filesize

                                                                                248KB

                                                                              • memory/2180-2509-0x0000000000400000-0x000000000043E000-memory.dmp
                                                                                Filesize

                                                                                248KB

                                                                              • memory/2312-1908-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/2376-2115-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/2472-42-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/2472-60-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/2472-70-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/2564-1905-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/2652-2118-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/2736-1909-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/2748-1368-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/2772-1901-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/2788-28-0x0000000000400000-0x000000000043E000-memory.dmp
                                                                                Filesize

                                                                                248KB

                                                                              • memory/2788-25-0x0000000000400000-0x000000000043E000-memory.dmp
                                                                                Filesize

                                                                                248KB

                                                                              • memory/2788-49-0x0000000000400000-0x000000000043E000-memory.dmp
                                                                                Filesize

                                                                                248KB

                                                                              • memory/2788-20-0x0000000000400000-0x000000000043E000-memory.dmp
                                                                                Filesize

                                                                                248KB

                                                                              • memory/2788-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
                                                                                Filesize

                                                                                4KB

                                                                              • memory/2812-1616-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/2828-1363-0x0000000000400000-0x00000000005D3000-memory.dmp
                                                                                Filesize

                                                                                1.8MB

                                                                              • memory/3204-2537-0x0000000000400000-0x000000000043E000-memory.dmp
                                                                                Filesize

                                                                                248KB

                                                                              • memory/3236-2549-0x0000000000400000-0x000000000043E000-memory.dmp
                                                                                Filesize

                                                                                248KB

                                                                              • memory/3420-2788-0x0000000000400000-0x000000000043E000-memory.dmp
                                                                                Filesize

                                                                                248KB

                                                                              • memory/3524-2915-0x0000000000400000-0x000000000043E000-memory.dmp
                                                                                Filesize

                                                                                248KB

                                                                              • memory/3916-2939-0x0000000000400000-0x000000000043E000-memory.dmp
                                                                                Filesize

                                                                                248KB

                                                                              • memory/4024-2659-0x0000000000400000-0x000000000043E000-memory.dmp
                                                                                Filesize

                                                                                248KB

                                                                              • memory/4024-2665-0x0000000000400000-0x000000000043E000-memory.dmp
                                                                                Filesize

                                                                                248KB